Product Group Tests
Digital forensics (2009)
A powerful product with plenty of easy-to-use features make LogRhythm LR1000 XM our Best Buy this month.
A comprehensive list of features, logically deployed, give ProDiscover IR v5.5 our Recommended award.
Full Group Summary
A good investigation draws on multiple sources. We put nine products in the lab. By Keith Gilbert.
Long gone are the days in which conducting a forensic analysis meant pulling the plug and imaging the hard drive. We now know that valuable investigative data resides in a large variety of locations throughout the digital continuum. A successful investigation may rely on the ability to find and interpret the variety of data from these multiple locations.
As a result, the number of tools being designed with forensic capabilities is growing. The traditional media analysis tools still have a firm place, but they now often include the ability to carry out all the traditional tasks over the network. Some tools can complete a live analysis of a target system over the network as well. Once you've moved past the more traditional products, they become more specialised, and in some cases, less obvious.
On the media front, one category of specialised tools we tested is mobile device forensics. The most obvious application for these is to analyse mobile phones and PDAs, but devices such as GPS units and digital cameras are also gaining support. These tools can acquire data such as deleted SMS messages, call logs, stored media and so on. We also tested tools with specialised memory forensics applications. This type of functionality could be useful in analysing instances of malware or network intrusions: features that are invaluable today, but were not even considered in the past.
We also tested products that provide a wide range of network-based forensics capabilities. Many are focused on log aggregation, correlation and analysis, with other features spread throughout. The ability to actively monitor and receive alerts based on criteria such as link analysis and system status could also be considered a defensive mechanism. While ironing out the normal event levels, system states and statistics, the final result can be most beneficial. Some of these tools also have the ability to carry out more obvious forensics tasks, such as the live analysis and monitoring of systems on the network.
What to look for
To determine what you must look for, you need to examine what you already have. Your answer will serve as a guide in determining which type of forensic tools you should consider purchasing next.
Acquiring different tools over time will help you build a comprehensive forensics solution. You will be able to resolve your investigations more quickly and efficiently with a large toolset at your disposal.
Knowing how you plan on using your new tool is one of the most important aspects of making a decision. If you have special analysis tasks to perform, you may move in the direction of a specialised tool. On the other hand, more general-purpose tools will provide a wider range of features. Your decision should be based upon whether the tool meets all of your data analysis requirements within its genre.
While many media forensics tools have a clear purpose and selection criteria, this is not always the case with the network tools. It is even more important to know how you plan on using such products. Depending upon your needs, you'll have to choose between an over-the-network forensic tool, a network forensics tool and the more specialised log aggregators. The latter category can be very useful in obtaining a holistic view of an incident as it occurred throughout your network.
One important thing to think about with the network forensics category is whether or not the primary function of that tool is forensics. While a tool may implicitly provide very useful forensic functions, it may not provide case-management features. If this is the position, the investigator will have to take specific care in maintaining all requirements if they are using the tool in that manner.
How we tested
Our testing this month varied considerably because each category of tool required a different method of testing. The network log-based tools were attached to a test network and fed a standard set of logs that we use to test similar equipment. The mobile device forensics software was tested using either a BlackBerry smartphone or Garmin Nuvi GPS device. Software packages focused on over-the-network forensic analysis were tested on a target machine within our test bed.
It is important to keep in mind the variety of tools that we tested this month. Our ratings were not based on how each product performed within our group, but rather on how well that product performed within its own niche.